Cyber security news April 2021

This posting is here to collect cyber security news in April 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

171 Comments

  1. Tomi Engdahl says:

    Joseph Cox / VICE:
    Facebook says a vulnerability that lets attackers find a Facebook profile given an email address is still active after being “erroneously closed out”

    Tool Links Email Addresses to Facebook Accounts in Bulk
    https://www.vice.com/en/article/bvz8pz/tool-finds-facebook-email-addresses

    A video shared with researchers and Motherboard shows a tool linking email addresses to Facebook accounts.

    Reply
  2. Tomi Engdahl says:

    Abner Li / 9to5Google:
    Google says it will audit WebView and implement a WebView “Safe Mode” after a bug impacting WebView and Chrome caused many Android apps to crash last month

    Google explains why WebView crashed Android apps last month and upcoming mitigations
    https://9to5google.com/2021/04/20/android-webview-crash-fix/

    Following Android users worldwide experiencing repeated app crashes last month, Google today released an explanation behind what went wrong and how future WebView problems will be remedied.

    This incident report was generated by the Workspace team given that Gmail and other productivity applications were impacted. Google pins the problem on a “bug within Chrome & WebView’s experiment & configuration technology.” This caused “instability” in Android apps that use WebView to render web content that in turn repeatedly crashed them.

    To make sure this kind of problem does not occur again, Google will “audit WebView and its related dependencies for production readiness,” while improving “experiment testability and roll-out process.”

    Reply
  3. Tomi Engdahl says:

    Pulse Secure Zero-Day Flaw Actively Exploited in Attacks
    https://www.securityweek.com/pulse-secure-zero-day-flaw-actively-exploited-attacks

    Multiple threat actors are actively engaged in the targeting of four vulnerabilities in Pulse Secure VPN appliances, including a zero-day identified this month that won’t be patched until next month.

    The oldest of the targeted security flaws, CVE-2019-11510 (CVSS score of 10), was patched in 2019, yet attacks continue to this date, as many organizations have not applied the available fixes.

    Two other bugs, namely CVE-2020-8243 and CVE-2020-8260 (both with a CVSS score of 7.2), were patched last year, but their situation is no different: although fixes have been available for more than six months, patching remains very slow.

    Tracked as CVE-2021-22893 and discovered in April 2021, the fourth vulnerability won’t receive a patch until early May, but Pulse Secure says that it has already provided mitigations to a very limited number of customers affected.

    Reply
  4. Tomi Engdahl says:

    Firefox 88 Combats Cross-Site Tracking to Improve User Privacy
    https://www.securityweek.com/firefox-88-combats-cross-site-tracking-improve-user-privacy

    Mozilla this week released Firefox 88 in the stable channel with patches for a dozen vulnerabilities and with improved user privacy, obtained through isolating the window.name property to the website that created it.

    For over two decades, the window.name property has been available for websites to store whatever data they choose to, but such data has often been allowed to leak between sites, essentially allowing for the tracking of users across the pages they visit.

    The data that websites stored in window.name, Mozilla explains, has been exempt from the same-origin policy that prevented information sharing between websites. Thus, sites were able to share data about users via the window.name property.

    “Tracking companies have been abusing this property to leak information, and have effectively turned it into a communication channel for transporting data between websites. Worse, malicious sites have been able to observe the content of window.name to gather private user data that was inadvertently leaked by another website,” Mozilla says.

    To put a stop to this behavior, Firefox will no longer allow websites to access the window.name set by other sites by clearing the property when users navigate to new websites. Whenever the user navigates back to a website, Firefox will restore the property to its previous value for that site.

    Reply
  5. Tomi Engdahl says:

    Google Chrome Hit in Another Mysterious Zero-Day Attack
    https://www.securityweek.com/google-chrome-hit-another-mysterious-zero-day-attack

    Google late Tuesday shipped another urgent security patch for its dominant Chrome browser and warned that attackers are exploiting one of the zero-days in active attacks.

    This is the fourth in-the-wild Chrome zero-day discovered so far in 2021 and the continued absence of IOC data or any meaningful information about the attacks continue to raise eyebrows among security experts.

    The newest Chrome update — 90.0.4430.85 — is available for Windows, Mac and Linux users and is being rolled out via the browser’s automatic update mechanism.

    According to a Google Chrome advisory, the update patches at seven security vulnerabilities but the company only provided one-line documentation and CVE IDs for five bugs.

    The vulnerability being exploited is identified as CVE-2021-21224 and simply described as a “type confusion” in the V8 Chrome rendering engine. Google credited the Jose Martinez (tr0y4) from VerSprite Inc. for reporting the vulnerability.

    “Google is aware of reports that exploits for CVE-2021-21224 exist in the wild,” the company said.

    Reply
  6. Tomi Engdahl says:

    Pulse Connect Secure Security Update
    https://blog.pulsesecure.net/pulse-connect-secure-security-update/
    The Pulse Secure team recently discovered that a limited number of
    customers have experienced evidence of exploit behavior on their Pulse
    Connect Secure (PCS) appliances. We are sharing information about the
    investigation and our actions through several communications channels
    in the best interests of our customers and the greater security
    community. Lisäksi:
    https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html.
    Lisäksi:
    https://www.reuters.com/technology/china-linked-hackers-used-pulse-secure-flaw-target-us-defense-industry-2021-04-20/.
    Lisäksi:
    https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-zero-day-used-to-hack-defense-firms-govt-orgs/.
    Lisäksi:
    https://therecord.media/chinese-hackers-use-new-pulse-secure-vpn-zero-day-to-breach-us-defense-contractors/.
    Lisäksi
    https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755.
    Lisäksi:
    https://www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_12/2021

    Reply
  7. Tomi Engdahl says:

    Remote code execution vulnerabilities uncovered in smart air fryer
    https://www.zdnet.com/article/remote-code-execution-vulnerabilities-uncovered-in-smart-air-fryer
    In another example of how connectivity can impact our home security,
    researchers have disclosed two remote code execution (RCE)
    vulnerabilities in a smart air fryer.Remote code execution vulnerabilities uncovered in smart air fryer
    https://www.zdnet.com/article/remote-code-execution-vulnerabilities-uncovered-in-smart-air-fryer
    In another example of how connectivity can impact our home security,
    researchers have disclosed two remote code execution (RCE)
    vulnerabilities in a smart air fryer.

    The team tested the Cosori Smart 5.8-Quart Air Fryer CS158-AF (v.1.1.0) and discovered CVE-2020-28592 and CVE-2020-28593. The first vulnerability is caused by an unauthenticated backdoor and the second, a heap-based overflow issue — both of which could be exploited via crafted traffic packets, although local access may be required for easier exploitation.

    The vulnerabilities have now been disclosed without any fix. According to Talos researchers, Cosori did not “respond appropriately” within the typical 90-day vulnerability disclosure period, and so — perhaps — now the vendor will consider issuing a patch now the issues are public.

    Reply
  8. Tomi Engdahl says:

    Internal Facebook email reveals intent to frame data scraping as
    normalized, broad industry issue’
    https://www.zdnet.com/article/facebook-internal-email-reveals-intent-to-frame-data-scraping-as-broad-industry-issue-and-normalized
    An internal email accidentally leaked by Facebook to a journalist has
    revealed the firm’s intentions to frame a recent data scraping
    incident as “normalized” and a “broad industry issue.”

    Reply
  9. Tomi Engdahl says:

    Over 750, 000 Users Downloaded New Billing Fraud Apps From Google Play
    Store
    https://thehackernews.com/2021/04/over-750000-users-download-new-billing.html
    Researchers have uncovered a new set of fraudulent Android apps in the
    Google Play store that were found to hijack SMS message notifications
    for carrying out billing fraud. The apps in question primarily
    targeted users in Southwest Asia and the Arabian Peninsula, attracting
    a total of 700, 000 downloads before they were discovered and removed
    from the platform. Lisäksi:
    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clever-billing-fraud-applications-on-google-play-etinu/.
    Lisäksi:
    https://www.trendmicro.com/en_us/research/21/c/no-laughing-matter-joker-latest-ploy.html

    Reply
  10. Tomi Engdahl says:

    The Incredible Rise of North Korea’s Hacking Army
    https://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army
    The country’s cyber forces have raked in billions of dollars for the
    regime by pulling off schemes ranging from A.T.M. heists to
    cryptocurrency thefts. Can they be stopped?

    IntelBrief: QAnon A U.S. National Security Threat Amplified by
    Foreign-Based Actors
    https://thesoufancenter.org/intelbrief-2021-april-20/
    In testimony last week to the United States Senate Intelligence
    Committee, FBI Director Christopher Wray highlighted the continuing
    national security threat posed by adherents of the QAnon conspiracy
    theory.

    Reply
  11. Tomi Engdahl says:

    U.S. Helping Ukraine Foil Russian Cyberattacks as Hacking Spikes: Sources
    https://www.usnews.com/news/world-report/articles/2021-04-20/us-helping-ukraine-foil-russian-cyberattacks-as-hacking-spikes-sources

    U.S. News has learned that Ukraine, working with U.S. partners, has foiled at least 350 Russian cyberattacks in recent weeks while Moscow’s forces mass on the border.

    Reply
  12. Tomi Engdahl says:

    Dustin Volz / Wall Street Journal:
    Internal memo: DOJ has formed a taskforce to combat the proliferation of ransomware attacks, targeting the entire ecosystem with prosecutions and more

    Ransomware Targeted by New Justice Department Task Force
    https://www.wsj.com/articles/ransomware-targeted-by-new-justice-department-task-force-11619014158?mod=djemalertNEWS

    After ‘worst year ever’ for the cyberattacks, department seeks to disrupt digital ecosystem that supports them

    Reply
  13. Tomi Engdahl says:

    “By including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated reports” :D

    Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective
    https://signal.org/blog/cellebrite-vulnerabilities/

    Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. A few months ago, they announced that they added Signal support to their software.

    Their products have often been linked to the persecution of imprisoned journalists and activists around the world, but less has been written about what their software actually does or how it works. Let’s take a closer look. In particular, their software is often associated with bypassing security, so let’s take some time to examine the security of their own software.

    They produce two primary pieces of software (both for Windows): UFED and Physical Analyzer.

    UFED creates a backup of your device onto the Windows machine running UFED (it is essentially a frontend to adb backup on Android and iTunes backup on iPhone, with some additional parsing). Once a backup has been created, Physical Analyzer then parses the files from the backup in order display the data in browsable form.

    When Cellebrite announced that they added Signal support to their software, all it really meant was that they had added support to Physical Analyzer for the file formats used by Signal.

    Anyone familiar with software security will immediately recognize that the primary task of Cellebrite’s software is to parse “untrusted” data from a wide variety of formats as used by many different apps. That is to say, the data Cellebrite’s software needs to extract and display is ultimately generated and controlled by the apps on the device, not a “trusted” source, so Cellebrite can’t make any assumptions about the “correctness” of the formatted data it is receiving. This is the space in which virtually all security vulnerabilities originate.

    For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.

    Reply
  14. Tomi Engdahl says:

    Well now. We also know Russia is deeply a problem here as well. I hope Russia and China are taking on each other much worse.

    China behind another hack as U.S. cybersecurity issues mount
    https://www.nbcnews.com/tech/security/china-another-hack-us-cybersecurity-issues-mount-rcna744?utm_source=facebook&utm_medium=news_tab&utm_content=algorithm

    Cybersecurity company Mandiant said Pulse Secure, a program that businesses often use to let workers remotely connect to their offices, had been compromised.

    China is behind a newly discovered series of hacks against key targets in the U.S. government, private companies and the country’s critical infrastructure, cybersecurity firm Mandiant said Wednesday.

    The hack works by breaking into Pulse Secure, a program that businesses often use to let workers remotely connect to their offices.

    The campaign is the third distinct and severe cyberespionage operation against the U.S. made public in recent months, stressing an already strained cybersecurity workforce. The U.S. government accused Russia in January of hacking nine government agencies via SolarWinds, a Texas software company widely used by American businesses and government agencies. In March, Microsoft blamed China for starting a free-for-all where scores of different hackers broke into organizations around the world through the Microsoft Exchange email program

    Reply
  15. Tomi Engdahl says:

    Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective
    https://signal.org/blog/cellebrite-vulnerabilities/

    Reply
  16. Tomi Engdahl says:

    Linux bans University of Minnesota for committing malicious code
    https://www.bleepingcomputer.com/news/security/linux-bans-university-of-minnesota-for-committing-malicious-code/

    In a rare, groundbreaking decision, Linux kernel project maintainers have imposed a ban on the University of Minnesota (UMN) from contributing to the open-source Linux project.

    The move comes after a group of UMN researchers were caught submitting a series of malicious code commits, or patches that deliberately introduced security vulnerabilities in the official Linux codebase, as a part of their research activities.

    Additionally, the Linux kernel project maintainers have decided to revert any and all code commits that were ever submitted from an @umn.edu email addresses.

    Malicious commits mass-reverted, UMN researchers banned
    Today, a major Linux kernel developer, Greg Kroah-Hartman has banned the University of Minnesota (UMN) from contributing to the open-source Linux kernel project.

    As seen by BleepingComputer, there are hundreds of commits touting themselves to be “patches” that have been reverted as a part of this process

    UMN Researchers call the accusations “slander”
    Soon enough, researcher Aditya Pakki from UMN pushed back asking Kroah-Hartman to refrain “from making wild accusations that are bordering on slander.”

    “If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here,” said Kroah-Hartman.

    “Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems,” he continued.

    UMN researchers have compiled a detailed FAQ document in which they state that the goal of their research was to improve the security of the patching process in open-source software by demonstrating the practicality of bug-introducing patches.

    The researchers also stated that any patch suggestions were made via email exchanges and never made it into any code branch, or the Linux kernel.

    According to the document, the University’s IRB determined that this was not human research or ethically harmful, and as such cleared the research activities.

    Although, the researchers did offer their sincere apologies to Linux maintainers for the time wasted on reviewing “hypocrite” patches

    Reply
  17. Tomi Engdahl says:

    In epic hack, Signal developer turns the tables on forensics firm Cellebrite
    Widely used forensic software can be exploited to infect investigators’ computers.
    https://arstechnica.com/information-technology/2021/04/in-epic-hack-signal-developer-turns-the-tables-on-forensics-firm-cellebrite/

    For years, Israeli digital forensics firm Cellebrite has helped governments and police around the world break into confiscated mobile phones, mostly by exploiting vulnerabilities that went overlooked by device manufacturers. Now, Moxie Marlinspike—creator of the Signal messaging app—has turned the tables on Cellebrite.

    On Wednesday, Marlinspike published a post that reported vulnerabilities in Cellebrite software that allowed him to execute malicious code on the Windows computer used to analyze devices. The researcher and software engineer exploited the vulnerabilities by loading specially formatted files that can be embedded into any app installed on the device.

    Virtually no limits
    “There are virtually no limits on the code that can be executed,” Marlinspike wrote.

    Reply
  18. Tomi Engdahl says:

    Signal CEO gives mobile-hacking firm a taste of being hacked
    https://www.bleepingcomputer.com/news/security/signal-ceo-gives-mobile-hacking-firm-a-taste-of-being-hacked/

    Software developed by data extraction company Cellebrite contains vulnerabilities that allow arbitrary code execution on the device, claims Moxie Marlinspike, the creator of the encrypted messaging app Signal.

    Cellebrite products are commonly used by police and governments to unlock iOS and Android phones and extract data on them. Last December, the company announced that its Physical Analyzer also gave access to data from Signal.

    The researcher provides proof of successful exploitation of UFED, Cellebrite’s product for collecting evidence from sources ranging from mobile devices and apps to public-domain social media services.

    While the announcement is far from the protocol of responsible disclosure, Marlinspike says that he will provide Cellebrite the specifics of the vulnerabilities if the company does the same for all the security issues they exploit for physical extraction services “now and in the future.”

    In seemingly “completely unrelated” news, Marlinspike says that future versions of Signal will add to the app storage files that are “aesthetically pleasing.”

    These files, add nothing to Signal’s functionality and will not interact with the app, “but they look nice, and aesthetics are important in software.” If these are formatted in a special way, Cellebrite’s customers will likely have a hard time demonstrating the integrity of the scan reports from devices where Signal is installed.

    Reply
  19. Tomi Engdahl says:

    The Government suspects there are certain routers that have been compromised, but they didn’t mention the router name/model… anybody have an idea?

    Or was this just someone who didn’t patch an old Cisco?

    Analysis Report (AR21-112A)
    CISA Identifies SUPERNOVA Malware During Incident Response
    https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*